Overview

Cisco NAC Profiler has been purpose-built to provide unique functionality in the discovery, location, and determination of the type and capabilities of all the endpoints connected to the enterprise network. The Cisco NAC Profiler system provides a contextual inventory of the endpoints using the network resource enabling IT organizations to answer the increasingly important questions of what is connected to the network, and where it exists?

Cisco NAC Profiler was developed specifically to aid in the deployment and ongoing administration of the IEEE standard 802.1X Port-based Access Control Authentication protocol, Network Admission Control (NAC), and MAC Authentication Bypass (MAB) authentication solutions. It provides network administrators with a means of efficiently addressing a commonly-encountered challenge in the deployment and management of these next-generation security mechanisms:

•Identifying, locating, and determining the capabilities of all of the attached network endpoints regardless of endpoint type

•Protecting against inadvertently denying access to some endpoints

•Facilitating the efficient and effective deployment and ongoing management of authentication and NAC in enterprise networks of varying scale and complexity

In addition to supporting deployment of NAC and 802.1X, the Cisco NAC Profiler can also play a significant role in endpoint lifecycle management, independent of the deployment of NAC or port-based authentication. Many enterprises are finding that managing the organization's endpoints across their lifecycle is the next logical step toward realizing continued gains in network reliability and availability. "Endpoint" in this context includes all the devices that connect to the network including user devices such as desktop and laptop computers, as well as the increasingly diverse set of other IP-enabled devices that are using network services. The "endpoint lifecycle" as it used here refers to all phases of the useful life of all network attached devices, regardless of type or function. It begins when a new endpoint is first connected to the infrastructure and terminates with the retirement of that endpoint.

As networks grow larger, it becomes increasingly difficult to know with certainty what type of endpoint is connected to each edge port. In networks deploying port-based authentication or NAC, this creates a serious impediment to both the deployment and ongoing management of the enterprise network after implementation of these edge security solutions.

With the deployment of port-based authentication or NAC it is essential to know whether each endpoint at the edge of the network is capable of interacting with the authentication or NAC solution, or that it is not capable, so that appropriate provisioning can be performed in order to provide reliable and secure access to all authorized endpoints regardless of their respective capabilities, all of the time. Providing the capability in a way that minimizes administrative burden and is inherently dynamic are prerequisites to successful deployment and operation of these edge security solutions particularly in large-scale enterprise networks.

For example, devices such as printers, FAX machines, IP telephones and Uninterruptible Power Supplies, typically are not equipped with an 802.1X client (properly termed a "supplicant" in the IEEE 802.1X standard). This means that the switch port to which these devices attach must not require port-based authentication cannot authenticate them using the 802.1X exchange of device or user credentials in order for these devices to and must revert to an alternative authentication mechanism (typically endpoint MAC address-based) in order for them connect to the network.

Similarly, in the deployments of NAC solutions, the special purpose devices such as those enumerated above and others will not have an agent available, nor do they provide a means by which a user might intervene manually through a browser. So similar to the 802.1X case described previously, NAC systems also require a solution for identifying and locating the endpoints unable to interact with the authentication component of these systems so that the NAC system will afford these endpoints with an alternative mechanism for being admitted to the network.

In this case, the ports connecting these endpoints must either be provisioned to circumvent the NAC system (for example, placed on a special VLAN) or alternatively, the NAC system configured to recognize these devices via their unique hardware address in order to provide them access without direct participation in the admission control protocol. This typically requires that the NAC system be made aware of these endpoints by MAC address so that they can be admitted based on that credential alone with no further interaction with the NAC system.

Both of these situations outline the need for a thorough understanding of the types of devices connecting to the network, their location and their abilities relative to the state of the port on which they currently reside. The Cisco NAC Profiler provides a solution to this need through its Endpoint Profiling and Identity Monitoring functions. The Endpoint Profiling and Identity Monitoring functionality performed by the Cisco NAC Profiler system can be utilized in enterprise networks ranging from hundreds to tens of thousands of endpoints. The following overviews of Endpoint Profiling and Identity Monitoring are provided as background to prepare personnel responsible for the configuration and management of the Cisco NAC Profiler.

Endpoint Profiling Overview

Endpoint Profiling records and analyzes the observable identity attributes of network-attached endpoints in order to classify each connected device to a particular group (Profile), and assesses its ability to participate in a certain sphere, such as a given authentication or network admission control (NAC) solution. In essence, Endpoint Profiling is a characterization of endpoints by identity for the purpose of identifying and grouping together those that are similar in function, capability or other defining characteristics. Cisco NAC Profiler classifies or profiles each endpoint it discovers and locates on the network into exactly one Profile according to the passive and active profiling mechanisms of the endpoint profiling engine.

Each Profile is a logical container or grouping that contains one or more endpoints with similar behavioral-based characteristics (for example, printers, IP Phones, game consoles, etc.) and similar ability to comply with the authentication, NAC or other requirements placed on the endpoints in a network. Each endpoint connected to the enterprise network either can or cannot interact with the authentication or admission control system to gain access to the network. Endpoints such as Windows or Linux computers are generally able to meet all the requirements of authentication and NAC systems, while devices such as printers, security badge readers, manageable Uninterruptible Power Supplies (UPS) cannot.

Endpoint participation in authentication or admission control generally requires that the endpoint either submit credentials automatically (for example, via a supplicant or agent running on the endpoint and properly configured with the correct credentials) or through manual user intervention (for example, via entering user credentials manually via a web browser) in order to be authenticated successfully or admitted onto the network. Endpoints without this capability must be identified so that they are not subjected to authentication or admission control direct challenges.

In addition, enterprise networks can include systems that run Windows but do not participate in Authentication or NAC processes, because either they are federally regulated and their software images cannot be changed (for example, biomedical devices) or because they are not user-centric devices (robotics, research, etc). Because these endpoints cannot respond to the challenge either automatically or through user intervention, alternate network provisioning must be performed to ensure these endpoints are provided with secure and reliable access to the network post-implementation of port based authentication or NAC. They are in fact authorized endpoints; however, their inherent limitations prevent them from being authenticated or admitted through interaction with the authentication or NAC system. In these kinds of enterprise environments, there can be an equal number of NAC-capable and non-NAC capable devices. Cisco NAC Profiler is designed to address such networks.

Cisco NAC Profiler performs dynamic Endpoint Profiling. Endpoint Profiling identifies and locates each endpoint on the network, groups those endpoints according to their capabilities or limitations, then allows accommodation of non-authenticating or non-NAC endpoints through a choice of mechanisms: interacting with the network infrastructure directly to allow manual re-provisioning, or acting as a directory of non-authenticating or non-NAC capable endpoints. The Cisco NAC Profiler directory allows an authenticator or NAC system to make a qualified decision about a particular endpoint. The authentication server or NAC system accesses the Cisco NAC Profiler directory via APIs or protocols such as LDAP to get real-time profiling intelligence about endpoints as they try to access the network.

Cisco NAC Profiler's Endpoint Profiling is inherently dynamic and can detect changes at the network edge resulting from network adds, moves and changes. Profile Change events can be used to alert network or security operations and to enable re-provisioning required to effectively support moves, adds and changes in the authenticated or admission controlled network.

Cisco NAC Profiler's Endpoint Profiling provides the network administrator visibility into the state of the network down to the endpoint and network port level. Cisco NAC Profiler's reporting features provide real-time operation status for each switch port in the network, the endpoints connected to them, and the current Endpoint Profile assigned to each endpoint. Cisco NAC Profiler maintains a historical record on each endpoint so that location, logical addressing and Profile information can be easily recalled for purposes such as security event management forensics.

It is important for those involved with the deployment of Cisco NAC Profiler to fully understand the set of attributes that can be used by the system in determining the identity of endpoints on a network. These attributes are collected by the Collectors deployed in the Cisco NAC Profiler system which are used to collect endpoint data indicative of device type via several different techniques. Collected endpoint data is forwarded to the Cisco NAC Profiler Server as it is observed by the system Collectors.

Collected data for endpoints is subsequently evaluated (or re-evaluated as attributes change or new attributes are collected) against Endpoint Profiles containing one or more rules that specify the identity attributes that constitute a match for a particular endpoint type.

Table 1-1 outlines the endpoint attributes that are used in defining profile rules to determine endpoint identity in the current version of the Cisco NAC Profiler. Along with each endpoint identity attribute, the Collector component module that runs on the Cisco NAC Profiler Collectors in the system and is responsible for the collection of endpoint data of each type is also specified. The rules in the enabled endpoint profiles are evaluated against observed data for an endpoint and the profile decision based on "best match." Profiles are logical containers of endpoints with similar identity attributes and capabilities, and the system utilizes a rules-based approach to examine observed identity attributes of the endpoints matching them to the rules in order to make a profiling decision for each endpoint discovered by the system.

Table 1-1 Endpoint Identity Attributes

Endpoint Attribute

Description

Collector Components

MAC Address/MAC Vendor

The entire MAC address of an endpoint, or the manufacturer that registered the OUI.

NetMap (SNMP)

NetWatch (ARP/DHCP)

IP Address

Full host address (or subnet) being used by the endpoint.

NetMap (SNMP)

NetWatch (ARP/DHCP)

Open TCP port

Indication that an endpoint is accepting TCP connections on a specified TCP port via analysis traffic

Full list of DHCP options supported by the DHCP client as specified in the DHCP request

NetWatch

DNS Name

The name the endpoint's IP address resolves to in DNS

NetInquiry

RADIUS Accounting Information

The RADIUS username of an endpoint that has successfully completed RADIUS authentication.

NetRelay

Active Directory Attributes

Information about the endpoint maintained in Active Directory:

•Domain membership

•Active Directory Computer (Common) Name

•Active Directory Computer Information

–Computer OS

–OS Version

–OS Service Pack

•Active Directory Domain (Distinguished) Name

NetMap

CDP Information

Information in the CDP message that identifies the device to its upstream neighbor.

NetMap

SNMP System Description

Text string contained within SNMP system description for devices added to the Profiler system configuration and polled by NetMap.

NetMap

Endpoint Attribute Learning by Cisco NAC Profiler

Cisco NAC Profiler uses the MAC address of endpoints as the primary identifier of each endpoint it discovers on the network. Endpoint identity attributes gathered by the system is referred to as being either "MAC learned" or "IP learned." MAC-learned endpoint data is as the name suggests, learned from information that is directly attributable to the MAC address of an endpoint. In order for an identity attribute to be learned via MAC, the observation data itself gathered by the Profiler contains a MAC identifier.

When the NetMap module running on a Collector discovers endpoints via querying the Source Address Tables of switches via SNMP, that information - the MAC addresses of the endpoints in the switch forwarding data base is considered MAC-learned. In addition, NetWatch will process Address Resolution Protocol (ARP) traffic received on monitor interfaces for information about the endpoints that identifies endpoints using the MAC address. Lastly, DHCP packets include MAC addresses so the information that Profiler collects from endpoint DHCP requests and replies from the DHCP service are also considered to be MAC-learned.

The remaining attributes of endpoint identity are gathered where the only identifiers of the endpoints in the data processed by Profiler is the IP address in use by the endpoint, and is considered IP-learned. For example, if NetWatch observes an endpoint accepting a TCP connection on TCP port 9100 indicating that the endpoint is likely a printer, the flow of packets from the device requesting a print job and the endpoint accepting it (printer) provides only the IP addresses of the endpoints to be used as the identifier consistently.

Recall Table 1-1earlier in this section that outlined the endpoint attributes used to make profiling decisions. As described immediately above, there is a subset of these attributes, listed in Table 1-2, collected by the NetWatch and NetInquiry modules, (and the NetRelay modules in the case of using NetFlow to find matches to Traffic Rules) that are learned strictly using endpoint IP addresses. The IP address of endpoints can be thought of as an endpoint alias.

As a logical identifier, the same IP address may be used by different endpoints at different points of time where the physical address (MAC address) of a network interface in most cases remains the same over the life of the device. The observation of IP-learned parameters are made typically by observing packets from the network (or NetFlow XDRs) where the only indication of the endpoints involved in the network communication is the IP address they were using at the time the network traffic was captured either directly or summarized in a NetFlow data record. Cisco NAC Profiler must maintain an IP-to-MAC mapping for endpoints in its database so that the data it learns via endpoint IP addresses can be tied back to the primary identifier of endpoints, the endpoint MAC address.

Table 1-2 IP-Learned Endpoint Identity Attributes

Endpoint Attribute

Description

Collector Components

Open TCP port

Indication that an endpoint is accepting TCP connections on a specified TCP port via analysis traffic

Maintaining an IP-to-MAC Mapping

Cisco NAC Profiler establishes the IP-to-MAC mapping for endpoints on the network being Profiled using the three following techniques, relying once again on the endpoint data feeds provided to the system Collectors:

1. Observing a complete DHCP transaction from an endpoint including the DHCPAck from the DHCP Server that assigned the endpoint its committed host address (NetWatch)

2. Observing a complete ARP transaction (request and response) for an endpoint (NetWatch),

Methods 1 and 2 are the preferred methods for the Cisco NAC Profiler system to establish and maintain an IP-to-MAC binding for an endpoint. In situations where Profiler establishes a binding for an endpoint via either of these two methods, IP-to-MAC binding information from a router ARP cache for that endpoint is disregarded giving precedence to either the DHCP- or ARP- derived information from NetWatch.

When collecting IP-learned endpoint information, the Cisco NAC Profiler system attributes the relative confidence it assigns to an IP-to-MAC mapping based on the source of the mapping. When Cisco NAC Profiler has observed either a full DHCP transaction or ARP via NetWatch (methods 1 or 2 above), it sets a flag in the database indicative of a higher-confidence IP-to-MAC mapping for that endpoint.

When endpoint identity attributes such as TCP open ports, traffic rule matches, etc. are learned for endpoints while Cisco NAC Profiler has a high-confidence IP-to-MAC binding for the endpoint, those observations can be tagged with the endpoint MAC.

Tagging endpoint attributes with the MAC address allows IP-learned attributes to be persistently associated with the endpoint, even if the endpoint IP address changes. Of course the system will curtail future learning via the old IP for that endpoint going forward, but the important difference is that the IP-learned attributes added to the database for the endpoint before the IP address change remain associated with the endpoint. If the endpoint is in a Profile due to matching a rule based on IP-learned attributes, it remains in that Profile after the IP address change.

Cisco NAC Profiler treats IP-learned information for endpoints whose IP-to-MAC mapping is attained exclusively through NetMap and the gathering of ARP cache information via SNMP with a greater degree of caution. First and foremost, if Cisco NAC Profiler has NetMap data for an IP-to-MAC mapping that conflicts with information it learned previously via NetWatch (for example, ARP or DHCP), it will not update the mapping. Understanding that the ARP cache of a network device is subject to configurable timers, and might become stale, IP-learned information gathered for endpoints with an IP-to-MAC mapping derived only from NetMap data is not tagged to the MAC and therefore is not persistent as the endpoint changes its IP address.

In the scenario where the system determines that an IP address change has occurred for an endpoint with a low-confidence IP-to-MAC mapping (from a router ARP cache data only), all IP-learned information for that endpoint is disassociated from the endpoint in the database. If the endpoint was in a Profile due to IP-learned attributes at the time of the change to its IP address, the endpoint will transition Profiles as the IP-learned attributes are cleared and only MAC-learned information is retained.

In this scenario, consideration must be given to understanding what would lead to this scenario of Cisco NAC Profiler detecting an endpoint changing IP address. The indicator of an IP change by an endpoint would be the discovery of the endpoint MAC in a router ARP cache, mapped to an IP other than that which is currently in the Cisco NAC Profiler database for that endpoint. Such a finding would result in the update of the IP-to-MAC mapping maintained for the endpoint in the Profiler database, and the disassociation of the IP-learned information gathered previously because of the "weak" nature of the mapping. This may or may not result in the endpoint being re-profiled, dependent on the rules in the current profile.

Again, this would only occur for endpoints that did not have a high-confidence IP-to-MAC mapping. When Profiler is able to view DHCP or ARP transactions directly, endpoints that change IP address regularly will have their IP-learned information remain intact, along with their profile. Understanding that this is what Profiler will have to work with, at the outset of the implementation it is important to review not only the top-level goals for how Profiler will be employed in this environment, but also what endpoint types are likely to be encountered and how will data about them be collected?

Endpoint Identity Monitoring

Understanding that non-authenticating or non-NAC endpoints are provided with special accommodation (for example, are not challenged by the authenticator or NAC system) in the authenticated or admission controlled enterprise network points to the need to monitor those endpoints over time. It is important to ensure that these endpoints exhibit only the attributes that are consistent with their current profile leading to their being provided with the authentication or NAC accommodation, and not indicating attributes associated with endpoints that should in fact be participative in the full authentication or admission control process prior to being allowed onto the network. For the most part, endpoints that cannot authenticate or participate in admission control are special purpose devices such as printers, UPS, IP Phones that provide a singular service or purpose on the network.

When endpoints that were classified originally as special-purpose begin to exhibit attributes of general purpose computing devices (for example, desktop and laptop computers) this should raise concern. Potentially the basic credential of the special purpose endpoint, typically its MAC address, has been compromised possibly in a deliberate attempt by a user on a general purpose device to thwart the authentication or admission control mechanisms implemented to control access to the network.

Prevention of this scenario is precisely the capability provided by the Identity Monitoring functionality of the Cisco NAC Profiler. Cisco NAC Profiler is continuously collecting and analyzing the identity attributes exhibited by endpoints utilizing the network via the Cisco NAC Profiler Collectors. When the identity attributes of an endpoint change, the Cisco NAC Profiler Server evaluates whether or not the observed changes warrant a change in the Profile the endpoint is currently matching. If a change in Profile is warranted, the Cisco NAC Profiler Server transitions the endpoint Profile and provides alerts to network and security management. In addition, Cisco NAC Profiler is able to change the accommodation provided by the authentication or NAC system to that particular endpoint in an automated fashion. The end result is that the endpoint that exhibits inconsistent attributes and is subsequently re-profiled is no longer permitted access to the network. The attempt to thwart the edge security system by what is commonly termed "MAC spoofing" is countered effectively and automatically by the Identity Monitoring capability of Cisco NAC Profiler.

Whereas Endpoint Profiling provides automated population of exception lists or white lists to accommodate non-authenticating and non-NAC nodes, Identity Monitoring provides an additional security mechanism as well as automated ongoing management of these critical elements of network authentication and admission control systems. The Identity Monitoring functionality of Cisco NAC Profiler adds a second credential to the known and authorized non-authenticating or non-NAC endpoints, that of specified set of attributes that endpoints of this type should and should not exhibit. This provides a continuous monitoring of endpoints to ensure that the MAC address of these endpoints afforded MAC authentication privileges cannot be exploited as a means to bypass network authentication or admission control.

Endpoint Profiling and Identity Monitoring Approaches in Brief

Cisco NAC Profiler uses a number of mechanisms to establish and maintain a complete contextual inventory of all devices connected to the network, including their type and location (switch and port). Cisco NAC Profiler does not operate in an "inline" mode, and does not require visibility of network traffic at every broadcast/Layer 2 domain on the network. Cisco NAC Profiler can operate effectively in a network segmented both at layer 2 via VLANs and at layer 3.

Cisco NAC Profiler Collectors are deployed at aggregation points in the network where traffic between the endpoints and centralized services (for example, application and print servers, Internet links, etc.) is accessible and can be redirected to a monitoring interface on the Cisco NAC Profiler Collector). Cisco NAC Profiler Collectors can be collocated on and run alongside the Cisco NAC Appliance NAC Server, or maybe run in standalone mode. In this mode, only the Profiler Server Collector is run on the NAC Server. The distributed Collectors of a Cisco NAC Profiler system aggregate endpoint information into the centralized Cisco NAC Profiler Server as described in Chapter 2, "Overview: Cisco NAC Profiler Architecture".

Cisco NAC Profiler does not rely on any software agents loaded on the endpoints, nor does it require administrator-level access to endpoints in order to perform Endpoint Profiling or Identity Monitoring. Cisco NAC Profiler instead relies on directly observable attributes of endpoint identity on the network combined in some cases with information gathered from the network infrastructure devices (for example, edge switches, routers, NetFlow collectors, etc.) to perform its functions. In many environments, Cisco NAC Profiler can primarily operate in passive mode, but it also includes active components that can leverage standard information from network services (for example, DNS) in a non-invasive fashion to Profile certain endpoints that are difficult to Profile passively.

Unlike other IT asset inventory discovery systems, Cisco NAC Profiler continually performs its functions and maintains real time and historical databases of information about endpoints in the environment. It does not operate on a "snapshot" basis that periodically scans the network to determine what is connected and characterizes endpoint types based on techniques such as open port scanning. Cisco NAC Profiler continually monitors the identity attributes exhibited by each endpoint in the course of network usage and updates its database based on data supplied by the Collector modules to evaluate which Profile the endpoint best matches. History is maintained on each endpoint to provide a summary view into the Profile(s) an endpoint has been in, the addresses it has used, and where it has been connected to the network.

It is often assumed that a Cisco NAC Profiler system, specifically the passive traffic analysis component, must be capable of high sustained throughput to process feeds of aggregated network traffic. Cisco NAC Profiler is never deployed in an inline mode and cannot become a bottleneck. Unlike an IDS or IPS that must examine essentially every packet that is presented to it in order to detect a potential attack on the network, Cisco NAC Profiler needs to examine only the packets that are useful for Endpoint Profiling and Identity Monitoring. Cisco NAC Profiler therefore does not require massive throughput capabilities, and because it does not need to store all packet information to support forensic activities, its data storage requirements are relatively small.

Cisco NAC Profiler is flexible enough to provide Endpoint Profiling and Identity Monitoring in just about any environment, even those where some of these capabilities are not practical. There are considerations and trade-offs when collecting and utilizing different sources of endpoint data. Depending on the networking environment, the level of granularity of Endpoint Profiling and the ability to provide Identity Monitoring is proportional to the visibility and access granted to the system.

The Cisco NAC Profiler Collectors utilize several different component modules that operate at various levels of the OSI stack, beginning at layer 2. Cisco NAC Profiler tracks the individual endpoints discovered on the network by their physical network interface address (for example, MAC address), and the registered manufacturer of that interface.

Cisco NAC Profiler can use SNMP communication with the network infrastructure devices to discover all endpoints utilizing the network. Cisco NAC Profiler regularly polls the switches and routers in the network via SNMP to determine what endpoints are connected to what ports, and what logical (IP) address each device is currently using. If one or more NetWatch modules are provided with redirected endpoint DHCP traffic, this is used as an alternative method of endpoint discovery. The Cisco NAC Profiler engine resolves the network topology down to the end nodes to develop a model or map of the network.

Cisco NAC Profiler communicates using the same protocol employed for enterprise network device management, SNMP, using Read Only mode to gather topological information from network devices at a configurable interval. Because Cisco NAC Profiler is interested in only a small subset of the Management Information Base maintained on these devices, the regular polling by Cisco NAC Profiler is not bandwidth intensive and does not impact the devices adversely. When SNMP polling is available, Cisco NAC Profiler can rapidly and accurately ascertain all endpoints present in the environment. In the absence of SNMP, Cisco NAC Profiler relies on other means to build out the list of devices in the environment including DHCP traffic analysis as mentioned earlier

Note In the current Cisco NAC Profiler version, there is no mechanism for pre-populating the system with endpoints (MAC Addresses). In order for an endpoint to be discovered and subsequently profiled by Cisco NAC Profiler, the endpoint MAC must be learned by the Cisco NAC Profiler by either the NetMap or NetWatch methods outlined above.

Cisco NAC Profiler leverages SNMP traps from the edge infrastructure when available to detect changes in the endpoint topology in near real-time. Cisco NAC Profiler uses Link State traps to determine when endpoints join or leave the network in order to immediately poll affected devices to re-map the network topology. When SNMP traps are not available, Cisco NAC Profiler uses a series of timers to obtain network change information. This can result in potential delays in the system's ability to respond to network changes in real time, but in practice the timers provide the necessary functionality to track the movement of endpoints.

Cisco NAC Profiler is also able to track and utilize the logical (IP) addressing of endpoints as a criterion for Profiling. Cisco NAC Profiler continually tracks the physical-to-logical address bindings of each endpoint, and rules can be created that associate endpoints using specific addresses with a device type. This enables a straightforward approach to Profiling statically-addressed devices such as network infrastructure or other devices that are known to be addressed from a reserved pool of host addresses.

When Collector modules are provided with redirected network traffic, typically aggregated traffic between the endpoints and the segments serving the shared services (for example, data and application servers, Internet link, etc.), Cisco NAC Profiler can perform profiling based on observable attributes of endpoint identity at the network layer and above. With the exception of DHCP, NetWatch gathers the endpoint attributes that are IP-learned as outlined earlier in the chapter. The Cisco NAC Profiler is provided access to network traffic from these segments via traffic redirection (for example, mirror ports, SPAN, RSPAN, and so on) to deliver network traffic to a monitoring interface on a Cisco NAC Profiler Collector running the NetWatch module and monitoring the interface receiving the re-directed network traffic.

In addition to these discovery mechanisms that reside on the Collector, the Profiler Server can process NetFlow export data records from NetFlow collectors already deployed in the network. By examining network traffic directly, or traffic flow data summarized in NetFlow XDRs, Cisco NAC Profiler can match endpoint traffic flows to Traffic Rules in enabled profiles that can be employed to make Profiling decisions. Some examples of using endpoint traffic or flow data for Endpoint Profiling are provided below:

•Cisco NAC Profiler is able to identify endpoints that communicate with a service (for example, TCP or UDP port) with certain resources. For example, printers can be identified by observing communications to-and-from the print servers on designated Windows printing ports. (NetWatch and NetRelay)

•Cisco NAC Profiler is able to positively identify certain devices based on the observation of the endpoints running identifiable software agents. For example, Windows devices can be identified by the presence of web browser agents when the station opens a web browser when browsing a website. (NetWatch only)

•Cisco NAC Profiler is able to identify different server types by observing server banners from SMTP or Web servers. (NetWatch only)

•Cisco NAC Profiler is able to determine that endpoints have specified TCP ports open by observing network traffic passively, or by using the Active profiling techniques provided by the NetInquiry Collector component. (NetWatch (passively) and NetInquiry(actively))

•Cisco NAC Profiler will collect TCP stack information (for example, TTL, Window Size, etc.) for endpoints if NetWatch is able to observe the endpoint establishing a TCP connection to another endpoint.

Cisco NAC Profiler Collectors are also able to glean information from network services such as DNS and DHCP. In the case of DHCP, a NAC Profiler Collector running NetWatch can process DHCP requests from endpoints utilizing the protocol for dynamic addressing and other configuration. DHCP packets originated by endpoints can be examined for client name, client vendor, and options information to be used in Profiling. DHCP packets from endpoints on the VLANs providing endpoint connectivity can be delivered to the NAC Profiler Collector in one of two ways:

•A monitoring interface on a NAC Profiler Collector appliance can have the traffic from the LAN segment supporting the DHCP server(s) redirected to it. In this mode, all DHCP requests from the endpoints utilizing the DHCP service are received by the monitor interface and examined for the client name, client vendor information and options information. In addition, the responses to those requests from the DHCP service (Acknowledgements specifically) contain the committed IP address for endpoints which can be used by Cisco NAC Profiler as described previously for maintaining the IP-to-MAC mapping of endpoints addressed by DHCP.

•Alternatively, DHCP redirection (sometimes referred to as IP Helper addressing) on the LAN-facing router interface can be utilized to forward a carbon copy of all DHCP requests from the LAN(s) served by that router interface directly to the management interface on a NAC Profiler Collector running NetWatch. The Cisco NAC Profiler system does not get involved in the DHCP protocol directly, it simply utilizes these redirected copies of the DHCP packets sent by the endpoints to gather Profiling data. Note that when using the IP helper technique to forward endpoint packets to the Cisco NAC Profiler Collector, NetWatch has visibility into the requests from the endpoints only; the Cisco NAC Profiler system is not availed to the DHCP responses from the DHCP service indicating the committed IP address and therefore must rely on other techniques in order to determine the current IP address of the endpoint.

In environments where the passive techniques are not sufficient to Profile 100% of the endpoints, Cisco NAC Profiler can utilize active Profiling techniques. Active profiling capability is an option that can be used in certain environments, particularly in cases where there are statically addressed endpoints that do not regularly communicate with centralized services.

The Cisco NAC Profiler active profiling capabilities, provided by the NetInquiry module running on the NAC Profiler Collector(s), are significantly different from other tools repurposed for endpoint discovery. For example, the Cisco NAC Profiler approach to active profiling does not utilize an active port scanner that subjects endpoints to a barrage of traffic to determine what ports a given endpoint will open. Rather Cisco NAC Profiler allows the administrator to configure several selective probes of selected endpoints themselves or of network services such as DNS in order to gather endpoint data useful for Profiling and Identity Monitoring actively.

For example, the active Profiling capability can be used to have the Cisco NAC Profiler system, the NetInquiry module running on a designated Collector specifically, initiate a connection on a designated TCP port with endpoints on a designated part of the network (VLAN or subnet). The NAC Profiler Collector running NetInquiry with an active TCP Open Port rule in an enabled profile will attempt to establish a session on a given TCP port with a specified set of stations, and the success or failure of that attempt is captured and analyzed by the NetInquiry module.

In addition to attempting to actively create TCP sessions with designated endpoints, active Profiling can be used to query DNS (via reverse lookup or Zone Transfer (AXFR) if supported) to get the hostnames of selected endpoints.Finally, NetInquiry can also be used in conjunction with Web Server Type and SMTP server banner rule types to request web and SMTP server banners from selected endpoints to determine the presence/type of mail and web servers. Rules using these parameters can then be utilized with the actively generated traffic as well as that being collected passively utilized by the NAC Profiler Server to find matches and assign endpoints to the correct Profiles.

In summary, it is important to reemphasize that the Endpoint Profiling and Identity Monitoring approaches outlined above are selectable based on the specifics of the environment and other considerations. The Cisco NAC Profiler System has been architected to utilize these various approaches so that an effective solution can be deployed in a wide variety of enterprise network environments, supporting a myriad of different IP-enabled endpoints. Cisco NAC Profiler can utilize as much or as little information that is provided to it in order to create and maintain an accurate real time and historical contextual inventory of all endpoints while making this information available for use in either the Port Provisioning or Directory modes as described earlier.

Profiling Biomedical Devices: An Example Endpoint Profiling Approach

Developing an approach to Endpoint Profiling for a given endpoint type begins with the development of an understanding of what identity attributes the target endpoint will exhibit on the network that may be observable by the Cisco NAC Profiler system. Specifically, what set of attributes may be available just by virtue of the endpoint utilizing the network, and can that data be collected by a NAC Profiler Collector and in turn evaluated by the NAC Profiler Server. As was described previously, Cisco NAC Profiler has the ability to interact with the network infrastructure to determine the physical address (for example, MAC address) of the stations connected to the switches which can be useful to some degree in identifying the manufacturer of a device, especially a special purpose device such as a medical imaging device such as a portable ultrasound cart.

In addition, it is typical for medical imaging devices of a number of different types to communicate over the network with Picture Archiving and Communication Systems (PACS) which are dedicated to the storage, retrieval, distribution and presentation of images. The PACS server typically resides in the data center handling images from many different imaging systems such as ultrasound, magnetic resonance imaging, endoscopy, and interfaces with other hospital information systems.

Digital Imaging and Communications in Medicine (DICOM) is a standard for handling, storing, printing, and transmitting information in medical imaging. It includes a file format definition and a network communications protocol. The communication protocol is an application protocol that uses TCP/IP to communicate between systems.

The regular DICOM communication between the devices collecting the images and the PACS server can be observed by the NAC Profiler Collector through the passive traffic analysis techniques described earlier in the document. Traffic flows between PACS and imaging devices in the environment could be redirected to NAC Profiler Collectors either by the use of SPAN or this data could be gleaned via processing of NetFlow data, assuming NetFlow collectors are in place between the imaging devices and the PACS. The Endpoint Profile rule set includes rules called Traffic Rules that instruct the NAC Profiler Server to record and analyze network communications (via live traffic analysis or post-processing of NetFlow XDRs) to look for endpoints communicating with one another on specified TCP port numbers as described earlier in this section.

In the example of a portable ultrasound cart, it is specified in the DICOM standard that ultrasound carts are communicated with the PACS server on TCP port 2100. The Profile for ultrasound machines would include a Profiler rule that specified when the Cisco NAC Profiler system observed a traffic flow of the PACS server communicating with an endpoint on port 2100, the endpoint is very likely to be a network-connected ultrasound device. Through passive traffic analysis employing NetWatch (or NetRelay) collection in combination with other techniques the Cisco NAC Profiler system is able to very accurately and a completely non-intrusive fashion identify medical imaging devices by MAC address, and current location (for example, switch and port) of the devices.